---
title: Getting started for App and API Protection for Go
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > App and API Protection > Enabling App and API
  Protection > Enabling App and API Protection for Go > Getting started for App
  and API Protection for Go
---

# Getting started for App and API Protection for Go

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Prerequisite{% #prerequisite %}

- The [Datadog Agent](https://app.datadoghq.com/account/settings#agent) is installed and configured for your application's operating system or container, cloud, or virtual environment.
- Your service framework and tools are [compatible](https://docs.datadoghq.com/security/application_security/setup/compatibility/go/) with Datadog [Application and API Protection](https://docs.datadoghq.com/security/application_security/setup/compatibility/go/?tab=v2#web-framework-compatibility).
- Your deployment environment is [supported](https://go.dev/doc/devel/release#policy).
- You have one of the latest two versions of [Go](https://go.dev/) installed (following the [Official Release Policy](https://go.dev/doc/devel/release#policy)).

## Get started{% #get-started %}

1. Install [Orchestrion](https://datadoghq.dev/orchestrion):

   ```console
   $ go install github.com/DataDog/orchestrion@latest
   ```

1. Register Orchestrion as a Go module in your project directory:

   ```console
   $ orchestrion pin
   ```

1. Datadog provides a series of pluggable packages that provide native support for instrumenting a series of Go libraries and frameworks. A list of these packages can be found in [Compatibility Requirements](https://docs.datadoghq.com/security/application_security/setup/compatibility/go/?tab=v2#web-framework-compatibility). Import these packages into your application and follow the configuration instructions listed alongside each integration.

1. Recompile your program with Orchestrion using the `appsec` build:

   ```console
   $ orchestrion go build -tags=appsec my-program
   ```

For more options on how to use Orchestrion, see [Orchestrion usage](https://docs.datadoghq.com/tracing/trace_collection/automatic_instrumentation/dd_libraries/go/?tab=compiletimeinstrumentation#usage).

Note: If you are building without [CGO](https://go.dev/wiki/cgo) on Linux, see [Building Go applications with CGO disabled](https://docs.datadoghq.com/security/application_security/setup/go#building-without-cgo).
Redeploy your Go service and enable App and API Protection by setting the `DD_APPSEC_ENABLED` environment variable to `true`:
{% tab title="Environment Variable" %}

```console
$ env DD_APPSEC_ENABLED=true ./my-program
```

{% /tab %}

{% tab title="Docker CLI" %}
Add the following environment variable value to your Docker command line:

```console
$ docker run -e DD_APPSEC_ENABLED=true [...]
```

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App and API Protection for Go](https://docs.datadoghq.com/security/application_security/setup/go/dockerfile).
{% /tab %}

{% tab title="Dockerfile" %}
Add the following environment variable value to your application container's Dockerfile:

```Dockerfile
ENV DD_APPSEC_ENABLED=true
```

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App & API Protection for Go](https://docs.datadoghq.com/security/application_security/setup/go/dockerfile).
{% /tab %}

{% tab title="Kubernetes" %}
Update your application's deployment configuration file for APM and add the following environment variable:

```yaml
spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"
```

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App and API Protection for Go](https://docs.datadoghq.com/security/application_security/setup/go/dockerfile).
{% /tab %}

{% tab title="Amazon ECS" %}
Update your application's ECS task definition JSON file using this environment section:

```json
"environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  }
]
```

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App and API Protection for Go](https://docs.datadoghq.com/security/application_security/setup/go/dockerfile).
{% /tab %}

### Verify your setup{% #verify-your-setup %}

To verify that App and API Protection is working correctly:

To see App and API Protection threat detection in action, send known attack patterns to your application. For example, trigger the [Security Scanner Detected](https://docs.datadoghq.com/security/default_rules/security-scan-detected/) rule by running a file that contains the following curl script:

```
for ((i=1;i<=250;i++)); do# Target existing service's routescurl https://your-application-url/existing-route -A Arachni/v1.0;# Target non existing service's routescurl https://your-application-url/non-existing-route -A Arachni/v1.0;done
```

A few minutes after you enable your application and exercise it, **threat information appears in the [Application Trace and Signals Explorer](https://app.datadoghq.com/security/appsec) in Datadog**.

{% video
   url="https://datadog-docs.imgix.net/images//security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" /%}

### Building without CGO{% #building-without-cgo %}

If you are building your Go application without [CGO](https://go.dev/wiki/cgo), you can still enable App and API Protection by following these steps:

1. Add the `appsec` build tag when compiling your application:
   ```console
   $ CGO_ENABLED=0 orchestrion go build -tags appsec my-program
   ```

{% alert level="danger" %}
Disabling CGO usually guarantees a statically-linked binary. This is will not be the case here.
{% /alert %}

Install `libc.so.6`, `libpthread.so.0` and `libdl.so.2` on your system, as these libraries are required by the Datadog WAF: This installation can be done by installing the `glibc` package on your system with your package manager. See [Creating a Dockerfile for App and API Protection for Go](https://docs.datadoghq.com/security/application_security/setup/go/dockerfile).

Redeploy your Go service with the `DD_APPSEC_ENABLED=true` environment variable set, as described above.

### Building with Bazel{% #building-with-bazel %}

If you are using Bazel and [rules_go](https://github.com/bazel-contrib/rules_go) to build your Go application, [Orchestrion](https://docs.datadoghq.com/tracing/trace_collection/automatic_instrumentation/dd_libraries/go/?tab=compiletimeinstrumentation#usage) is not compatible with Bazel. Instead, you can use the [Datadog Go Tracer library](https://docs.datadoghq.com/tracing/trace_collection/automatic_instrumentation/dd_libraries/go/?tab=manualinstrumentation#add-the-tracer-library-to-your-application) to instrument your application manually.

App and API Protection relies on [purego](https://github.com/ebitengine/purego) to support its C++ biddings to DataDog's WAF, which requires special attention inside the `repositories.bzl` generated by Gazelle. Under the `go_repository` rule for `com_github_ebitengine_purego`, you need to add the `build_directives` attribute with the `gazelle:build_tags cgo` directive. For example:

```
    go_repository(
        name = "com_github_ebitengine_purego",
        build_directives = [
            "gazelle:build_tags cgo",
        ]
        build_file_proto_mode = "disable",
        importpath = "github.com/ebitengine/purego",
        sum = "<your-checksum>",
        version = "v0.8.3",
    )
```

## Using App and API Protection without APM tracing{% #using-app-and-api-protection-without-apm-tracing %}

If you want to use App and API Protection without APM tracing functionality, you can deploy with tracing disabled:

1. Configure your tracing library with the `DD_APM_TRACING_ENABLED=false` environment variable in addition to the `DD_APPSEC_ENABLED=true` environment variable. This configuration reduces the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

For more details, see [Standalone App and API Protection](https://docs.datadoghq.com/security/application_security/guide/standalone_application_security/).

## Further Reading{% #further-reading %}

- [App & API Protecion SDK for Go](https://docs.datadoghq.com/security/application_security/setup/go/sdk)
- [Adding user information to traces](https://docs.datadoghq.com/security/application_security/add-user-info/)
- [Tracer source code](https://github.com/DataDog/dd-trace-go)
- [Orchestrion source code](https://github.com/DataDog/orchestrion)
- [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules/?category=cat-application-security)
- [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting)